Skip to content

Commit

Permalink
Azure ARM: Use temporary public key and disable SSH (#1363)
Browse files Browse the repository at this point in the history
This uses the script to kill SSH as an additional precaution.

Public IP to be removed in future change.

- Generate public ssh key:
This removes the need for the seed parameter by using a
`Microsoft.Resources/deploymentScripts` resource to generate a temporary
public key. The private key is thrown out and ssh is still disabled by
the deployment script.

Downside of this approach is that the deployment script needs some time
to complete.
  • Loading branch information
orestisfl authored Sep 28, 2023
1 parent 0bc19f5 commit 7ab95f3
Show file tree
Hide file tree
Showing 3 changed files with 72 additions and 10 deletions.
41 changes: 35 additions & 6 deletions deploy/azure/README.md
Original file line number Diff line number Diff line change
Expand Up @@ -4,20 +4,49 @@ This is a work in progress.

Deploy the JSON template at https://portal.azure.com/#create/Microsoft.Template.

To be able to ssh into the vm, you need to change the password before deploying:
To be able to ssh into the vm, you need to change the password before deploying and also to remove the installation
script as it resets the password and disables ssh. You'll need to install the agent manually after ssh-ing into the
machine.

```diff
diff --git a/deploy/azure/azureARMTemplate.json b/deploy/azure/azureARMTemplate.json
index 41defb01..f97234e3 100644
index 2a3365c8..f17ed213 100644
--- a/deploy/azure/azureARMTemplate.json
+++ b/deploy/azure/azureARMTemplate.json
@@ -58,7 +58,7 @@
@@ -65,7 +65,7 @@
"osProfile": {
"computerName": "cloudbeat",
"adminUsername": "cloudbeatVM",
- "adminPassword": "[guid('')]",
"computerName": "cloudbeatVM",
"adminUsername": "cloudbeat",
- "adminPassword": "[concat('Salt123@', guid(parameters('Seed')))]",
+ "adminPassword": "My-password123!",
"linuxConfiguration": {
"disablePasswordAuthentication": false
}
@@ -153,26 +153,6 @@
"publicIPAllocationMethod": "Dynamic"
}
},
- {
- "type": "Microsoft.Compute/virtualMachines/extensions",
- "apiVersion": "2021-04-01",
- "name": "cloudbeatVM/customScriptExtension",
- "location": "[resourceGroup().location]",
- "dependsOn": [
- "[resourceId('Microsoft.Compute/virtualMachines', 'cloudbeatVM')]"
- ],
- "properties": {
- "publisher": "Microsoft.Azure.Extensions",
- "type": "CustomScript",
- "typeHandlerVersion": "2.1",
- "settings": {
- "fileUris": [
- "https://raw.githubusercontent.com/elastic/cloudbeat/main/deploy/azure/install-agent.sh"
- ],
- "commandToExecute": "[concat('bash install-agent.sh ', parameters('ElasticAgentVersion'), ' ', parameters('ElasticArtifactServer'), ' ', parameters('FleetUrl'), ' ', parameters('EnrollmentToken'))]"
- }
- }
- },
{
"type": "Microsoft.Authorization/roleAssignments",
"apiVersion": "2022-04-01",
```
31 changes: 27 additions & 4 deletions deploy/azure/azureARMTemplate.json
Original file line number Diff line number Diff line change
Expand Up @@ -35,7 +35,8 @@
"name": "cloudbeatVM",
"location": "[resourceGroup().location]",
"dependsOn": [
"[resourceId('Microsoft.Network/networkInterfaces', 'cloudbeatNic')]"
"[resourceId('Microsoft.Network/networkInterfaces', 'cloudbeatNic')]",
"[resourceId('Microsoft.Resources/deploymentScripts', 'cloudbeatGenerateKeypair')]"
],
"properties": {
"hardwareProfile": {
Expand All @@ -58,9 +59,16 @@
"osProfile": {
"computerName": "cloudbeatVM",
"adminUsername": "cloudbeat",
"adminPassword": "[guid('')]",
"linuxConfiguration": {
"disablePasswordAuthentication": false
"disablePasswordAuthentication": true,
"ssh": {
"publicKeys": [
{
"path": "/home/cloudbeat/.ssh/authorized_keys",
"keyData": "[reference('cloudbeatGenerateKeypair').outputs.public_key]"
}
]
}
}
},
"networkProfile": {
Expand Down Expand Up @@ -118,7 +126,8 @@
"name": "cloudbeatNic",
"location": "[resourceGroup().location]",
"dependsOn": [
"[resourceId('Microsoft.Network/virtualNetworks', 'cloudbeatVNet')]"
"[resourceId('Microsoft.Network/virtualNetworks', 'cloudbeatVNet')]",
"[resourceId('Microsoft.Network/publicIPAddresses', 'cloudbeatPublicIP')]"
],
"properties": {
"ipConfigurations": [
Expand Down Expand Up @@ -165,6 +174,20 @@
}
}
},
{
"type": "Microsoft.Resources/deploymentScripts",
"apiVersion": "2020-10-01",
"name": "cloudbeatGenerateKeypair",
"location": "[resourceGroup().location]",
"kind": "AzureCLI",
"properties": {
"azCliVersion": "2.51.0",
"cleanupPreference": "Always",
"retentionInterval": "P1D",
"scriptContent": "#/bin/bash -e\nyes | ssh-keygen -f sshkey -N ''\necho \"{\\\"public_key\\\":\\\"$(cat sshkey.pub)\\\"}\" > $AZ_SCRIPTS_OUTPUT_PATH",
"timeout": "PT30M"
}
},
{
"type": "Microsoft.Authorization/roleAssignments",
"apiVersion": "2022-04-01",
Expand Down
10 changes: 10 additions & 0 deletions deploy/azure/install-agent.sh
Original file line number Diff line number Diff line change
@@ -1,6 +1,14 @@
#!/bin/bash
set -euxo pipefail

# Delete password, stop and disable ssh
sudo passwd --delete cloudbeat &
(
sudo systemctl disable --now ssh || true
sudo systemctl mask ssh.service || true
sudo killall sshd || true
) &

usage="$0 <elastic agent version> <elastic artifact server> <fleet url> <enrollment token>"
ElasticAgentVersion=${1:?$usage}
ElasticArtifactServer=${2:?$usage}
Expand All @@ -12,3 +20,5 @@ curl -L -O "${ElasticArtifactServer}/$ElasticAgentArtifact.tar.gz"
tar xzf "${ElasticAgentArtifact}.tar.gz"
cd "${ElasticAgentArtifact}"
sudo ./elastic-agent install --non-interactive --url="${FleetUrl}" --enrollment-token="${EnrollmentToken}"

wait

0 comments on commit 7ab95f3

Please sign in to comment.